Cyber Defense at NATO: From Wales to Warsaw, and Beyond

In 2014, while reflecting upon the decision made by NATO Allies to bring cyber defense under the umbrella of NATO’s collective defense – whereby an attack on one is considered an attack on all – NATO’s Secretary General Jens Stoltenberg highlighted: “Cyber attacks can be as dangerous as conventional attacks. They can shut down important infrastructure. They can have a great negative impact on our operations.”

Cyberspace – and our reliance upon it for economic growth, societal development, as well as the efficient and effective functioning of countries and populations – is to many a somewhat incomprehensible virtual reality, a man-made space more than the sum of its parts. Despite this, it is of increasing concern that absent cyberspace, industrialized nations forced to metaphorically revert to paper and pen, would soon teeter and collapse.

Whilst such a scenario has not yet fully come to pass, the 2007 cyber attacks against Estonia, which for a brief period of time took most of the country offline, are universally regarded as a “wakeup call.” For many, the attacks offer an important case study of how nation-states utilize cyberspace as a medium to pursue their strategic aims, making it all the more timely to reflect upon what the North Atlantic Alliance, founded nearly 70 years ago, is doing about cyber attacks.

The 2007 cyber attacks against Estonia are universally regarded as a ‘wakeup call.’

Reflecting the adoption of cyberspace and associated technology by the armed forces, NATO increasingly finds itself reliant upon cyber-enabled technologies. To take but one example, are the command and control arrangements for Ballistic Missile Defense (BMD). These networks and systems must be able to support decision-making amongst the highest levels within the Alliance in a matter of minutes.[1] In other capabilities, such as the well-known Airborne Warning and Control System (AWACS), increasingly using off-the-shelf technology, also known as digitization, is also firmly here to stay. Indeed, for an organization that is essentially about connectivity between sovereign Allies, the security and resilience of IT systems that underpin command and control and consultation are of vital importance.

This reliance and associated vulnerability (caused by a range of factors) poses an attractive target for a range of different reasons. Those who wish to exploit cyberspace for malicious ends or in the interest of achieving strategic objectives opposed to or in conflict with those of the Alliance can be commonly separated into four types.

Firstly, cyber criminals who seek to gain financially through cybercrime either through attacking banks, compromising credit cards, or e-banking applications on computers belonging to end-users or stealing personal data. A case in point is the breach at UK telecommunications company Talk-Talk in 2015 when millions of customer records were copied out of the firm’s customer database.[2]

Next, are groups or individuals driven by ideology who are more difficult to pin down and usually perform disruptive attacks aiming to bring visibility to their cause. For example, in 2014 the hacker collective Anonymous unsuccessfully launched a cyber attack known as a Distributed Denial of Service (DDoS) against Amazon in response to its decision to halt hosting Wikileaks on its cloud computing service.[3]

Increasingly and most seriously, nation-states have seen the value of cyberspace as a venue and medium for advancing their own strategic and national security interests. This includes espionage, disruption, and interference, all as publicly reported by governments and the private sector. For example, prior to the illegal annexation of Crimea by Russia in 2014, a number of cyber attacks occurred against Ukrainian government computer systems, including those attempting to sow discord and confusion.[4] In 2014, the US indicted five People’s Liberation Army (PLA) officers on counts of cyber espionage of US commercial intellectual property.[5] More insidiously, the US intelligence community released an unclassified assessment of the cyber attacks against the US Democratic National Convention, attributing these to Russia. The ongoing investigation into suspected Russian interference with the 2016 US presidential election continues to illustrate the attractiveness of action through cyberspace.[6]

The only time in history when Article 5 has been invoked was on 12 September 2001 following the terrorist attacks in New York and Washington D.C.

Whilst public examples of the integration of cyber into military operations are relatively rare, there are a few salutary lessons. In Operation Orchard in 2007, for example, Israel was apparently able to disrupt the Syrian integrated air defense system through a cyber attack long enough to open a corridor allowing a strike aircraft to attack a suspected nuclear reactor at Deir-e-Zor.[7] More recently, in 2016 both the UK and the US announced the employment of cyber attacks in the fight against Daesh in Iraq.[8]

As a multi-national regional security organization, NATO is particularly challenged by sophisticated adversaries known as “advanced persistent threats,” which the industry regularly concludes are either operating directly or backed by nation-states or their proxies. For example, around the time of the 2014 NATO Summit in Wales, NATO’s main public facing website was taken down for a short period of time by a group calling itself Cyber Berkut.

NATO’s first policy framework in 2002 gave voice to initial considerations – albeit of a technical nature – about how to address these types of threats. Over the years, this has evolved from an inward looking approach, which took NATO’s own networks and systems into consideration, to a more outward facing model. This builds upon the legacy of work done in protecting NATO’s own networks, but also sets out a range of measures to support Allies and, most latterly, play a bigger role in the achievement of NATO’s own objectives. This trajectory reflects a maturing and increasingly de-centralized approach to understanding cyber defense which recognizes that although security of information and the technology used to process are a key part of the discipline, doing cyber defense well requires a more sophisticated strategic treatment based around coordination, partnership, cooperation, and information exchange. Nonetheless, NATO’s approach maintains adherence to its primary cyber defense priority, which is the protection of NATO’s own networks whilst at the same time engaging in work to bolster Alliance-wide resilience.

The Enhanced NATO Cyber Defense Policy

The Enhanced NATO Policy on Cyber Defence endorsed at the Wales Summit in 2014 was instrumental in a number of ways, not least for the manner in which it brought cyber defense under the umbrella of collective defense, established a framework of assistance to Allies, reinforced capacity and capability development including through training and exercises, and enhanced partnerships, particularly by establishing the NATO Industry Cyber Partnership (NICP).[9]

Cyber Defense and Collective Defense

The Enhanced NATO Policy on Cyber Defence has probably become best known for the fact that for the first time, cyber defense was brought under the umbrella of collective defense in Article 5 of the Washington Treaty. This states that an attack on one may be considered as an attack on all. What this means in practice is that if an Ally is subject to a cyber attack, it can bring its case to the North Atlantic Council to seek agreement for the invocation of Article 5. Nonetheless, although eye-catching, the invocation of Article 5 is not an automatic process beyond the control of Allies. As befits an organization which operates amongst sovereign nations but not over them, NATO provides the platform for discussion between Allies in the North Atlantic Council and it would be up ultimately up to the Ally to argue its case. It is worth noting that the only time in history when Article 5 has been invoked was on 12 September 2001 following the terrorist attacks in New York and Washington D.C.[10]

The Enhanced Policy also recognized that international law, including international humanitarian law and the UN Charter applies in cyberspace. This was also in step with the 2013 conclusions of the United Nations Group of Governmental Experts (UN GGE) regarding the applicability of international law to cyberspace.

Aside from the headline-grabbing discussions on Article 5 and collective defense, there are two other clauses in the Washington Treaty that are also relevant to the discussion on cyber defense. The first is Article 3, which states that it is the responsibility of every Ally to provide for its own security. This is important because although cyber defense is widely regarded to be an activity where cooperation is instrumental, it does not absolve Allies from the responsibility to shoulder their own defense burden. Article 4 – concerning the right for an Ally to ask for consultations – is also often overlooked. It is seen as useful in terms of providing Allies with options when confronted with crises that do not warrant Article 5, as might be characterized by a hybrid campaign including cyber attacks.

Assistance to Allies

The policy agreed upon at the Wales Summit also further strengthened the framework for assistance to Allies through the establishment of Rapid Reaction Teams (RRTs). Based within the cybersecurity service line of the NATO Communication and Information Agency, these teams are on standby firstly to assist in cyber attacks against NATO networks but also, subject to approval by the Council to be deployed to a stricken Ally. Parameters concerning what each RRT would and would not be allowed to do in the case of deployment are covered in the Memorandum of Understanding (MoU) agreements signed between NATO and each Ally. Based on a standardized template, this MoU also sets out other important aspects of the cyber defense relationship between NATO and each Ally, including information exchange and policy and technical points of contact.

Capability and Capacity Development

Whilst the RRTs are one instrument available to Allies, another important tool which NATO uses to enable capability development at the national level is the NATO Defence Planning Process (NDPP). The NDPP is a well-honed process whereby each Ally assumes certain defense planning targets stemming from high-level political direction, and their delivery of these are scrutinized by their peers. NATO officials periodically survey the progress of each Ally in delivering these capability targets which cover a range of defense planning domains in air, land, and sea and increasingly in civilian-military domains.[11] In 2013, Cyber Defence Capability Targets were introduced and subsequently adopted by Defense Ministers in their 2014 meeting. These capability targets set out a range of commitments that each Ally signed up to, including creating a cyber defense governance structure, a 24/7 incident response capability, as well as establishing a military cyber defense training and education program.

The Wales Summit was noteworthy in further galvanizing NATO’s relationship with key partners.

The Wales Summit also saw improvements in training and education with the integration of cyber defense into the range of exercises and courses across the Alliance, both at the operational and strategic-political level, with the Trident Juncture exercise and NATO’s Crisis Management Exercise (CMX), respectively. More specifically, the annual Cyber Coalition represents the flagship NATO cyber defense exercise which regularly includes dozens of Allies and partners. NATO also facilitates training and education through a range of courses offered by the NATO School in Oberammergau, the NATO Defense College (NATO’s own “university”), and the NATO-affiliated Co-operative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn, Estonia. This unique organization – which sits outside the formal hierarchy of the Alliance and is composed of 16 Sponsoring Nations and two Sponsoring Participants[12] – has become a well-known international “knowledge centre” regarding cyber defense. In addition to courses and technical training it also runs the exercise,“Locked Shields,” an exercise which pits teams against each other in a simulated cyber game. The CCD CoE also convenes the annual CyCON conference which is regarded as a good opportunity to exchange and share knowledge on cyber defense policies and strategy. In addition, the Tallinn Manual, published by the CCD CoE and now in its second edition, makes an important contribution to help further clarify how international law applies in cyberspace during conflict and crisis situations as well as during peacetime.[13]

Partnerships

Wales was noteworthy in further galvanizing NATO’s relationship with key partners. NATO engages with non-NATO nations on a tailored approach based on common values and shared interests. Interaction occurs with over 40 partner countries and represents an important cyber defense contribution to building stability. This is particularly important given the fact that borders are largely, although not entirely, irrelevant in cyberspace.

Cooperation with other international organizations is particularly noteworthy. Wales provided the framework for stepping up cooperation with the European Union which would bear fruit in 2016 with a Technical Arrangement between NATO’s own cyber defense experts, the NATO Computer Incident Response Capability (NCIRC) and their counterparts in the Computer Emergency Response Team for the European Union Institutions (CERT-EU).[14] In recognition of the importance of other international organizations, however, the Policy agreed at the Wales Summit also highlighted the importance of the work done by the United Nations Group of Governmental Experts (UN GGE) on voluntary norms in cyberspace and the Organisation for Security and Co-operation in Europe (OSCE) in developing confidence-building measures for cyberspace.

Lastly, in recognition of the important role that collaboration plays in cyber defense, the Wales Summit also saw the creation of the NATO Industry Cyber Partnership (NICP). Envisaged as a broad umbrella to stimulate and encourage interaction with industry for the primary purpose of reinforcing the defense of NATO’s own networks, the fact that NATO was able to establish such a platform should not be underestimated. Given the role of industry in cyberspace, both in terms of their ownership of the infrastructure but also the part played by industry in innovation, it was timely and, some might say, overdue recognition by NATO of the need to engage more substantively with industrial partners on cyber defense. The NICP has 12 objectives and some of the most important include improving the sharing of expertise, information, and experience of operating in a rapidly evolving threat landscape; helping NATO and Allies learn from industry; raise awareness and improve understanding of cyber risks; and leverage private sector developments for cyber defense capability development.

Cyber Defense at the Warsaw Summit

Although the Enhanced NATO Policy on Cyber Defence continues to guide NATO’s efforts, two important cyber defense decisions taken by Allies at the Warsaw Summit have caught the limelight. The Cyber Defence Pledge[15] and the Recognition of Cyberspace as a Domain of Operations are at their heart two sides of the same coin. They showcase political will within the Alliance to mainstream cyber defense into the DNA of Euro-Atlantic security. In so doing, they aim to act as a catalyst for a change of culture and mindset regarding cyber defense, both within and across the Alliance.

The Cyber Defence Pledge

On the one hand, the Cyber Defence Pledge made by Allies to strengthen and enhance their cyber defenses was firmly aimed at Allies and seeks to galvanize political momentum to give the proper attention to cyber defense at the highest levels. This is firmly within the context of Article 3 of the Washington Treaty which underlines that NATO’s role is not to replace national responsibility for defense and security, but rather to enable it. Practically, whilst non-binding, the Cyber Defence Pledge represents a significant transatlantic commitment to advance toward seven key objectives while recognizing that the evolving landscape means cyber defense is never truly complete. Seven key objectives set out in detail what the Cyber Defence Pledge means in practice. These run across a comprehensive set of priorities including developing the fullest range of capabilities, treating cyber defense at the highest strategic levels, and ensuring cyber defense is deployed end to end across all networks, whether they be static or deployed. Others include fostering training and education activities, raising awareness and sharing information, and best practices among relevant stakeholders. One commitment in particular stands out, which concerns resourcing. Like the NICP in 2014, some would say the explicit recognition by Allies of the need to fund cyber defense was overdue. Nonetheless its presence in the Pledge represents an important step forward and a useful touchstone for further developments.[16]

The Cyber Defence Pledge seeks to galvanize political momentum to give the proper attention to cyber defense at the highest levels.

The Cyber Defence Pledge foresees regular assessments of progress to further encourage implementation, requiring that at each Summit progress is reviewed. To facilitate this, a common assessment and reporting approach was developed which consists of a set of detailed questions for each of the seven key objectives. These questions are used to collect information on progress along with further in-depth discussions in bilateral meetings between Allies and NATO officials. These questions – and an associated maturity model whose employment is voluntary – allow Allies to reflect upon progress through describing expected characteristics of implementation at each level of maturity. A conscious decision was taken not to adopt simplistic scoring since in a way the Cyber Defence Pledge is about understanding and improving the quality and sustainability of decision-making and planning with regard to cyber defense, rather than simply meeting a certain numerical threshold, although at a technical level this is undoubtedly important.

The first report on how Allies are implementing the Cyber Defence Pledge was produced in time for the May 2017 High Level meeting of NATO leaders in Brussels. In addition to noting the value of the Pledge in energizing high-level political support for cyber defense, this report highlighted the value of the Cyber Defence Pledge to Allies, especially in bringing together disparate stakeholders and acting as a platform to stimulate cooperation.

Substantively, the report found that whilst in many Allies the cyber defense policy framework was relatively mature, challenges existed in both resourcing, recruitment, and retention. In addition, although extensive evidence of technical training was in existence, many Allies found challenges in addressing the cyber defense training needs of operational level personnel.

The Recognition of Cyberspace as a Domain of Operations

On the other side of the coin from Warsaw was the decision to recognize cyberspace as a domain of operations. Such a recognition had already been made by a few Allies[17] and whilst the rationale for each slightly differed, these decisions were intended to acknowledge that cyberspace had become a domain or space with the potential for competition, rivalry, and even conflict between nation-states. Therefore, there was a need to be able to train, equip, and man for operations in this domain, as the traditional services do for operations in their respective environments. Whilst experts offer different views[18] on the utility of treating cyberspace as a domain like air, land, or sea, for a political-military Alliance such as NATO to fail to take account of this would have had important operational, strategic, and reputational ramifications.

The recognition of cyberspace as a domain of operations is not a smokescreen for a change of NATO’s mandate, which will remain defensive in nature. Just like in the other domains or environments, NATO acts by consensus and every decision is taken with respect to obligations under international law. It is also important to recall that for all cases (except in the case of the Alliance-owned AWACs and AGS), NATO Operations and Missions employ capabilities developed and are held at readiness by Allies, which are then nominated and transferred to the commanders operational authority under a strict framework of political oversight. Such arrangements will continue in this “new” domain of cyberspace.

The Cyber Defence Pledge seeks to galvanize political momentum to give the proper attention to cyber defense at the highest levels.

The decision to recognize cyberspace as a domain is at its core about driving coherence in capability development and how NATO addresses cyberspace from an operational perspective. To draw an analogy from the world of commerce, this decision aims to elevate cyber defense to being a board level issue; in the case of Alliance operations and missions, the “chairman of the board” being the operational commander. By treating cyberspace as a domain, like air land or sea, cyber defense will not simply be a set of administrative tasks to meet information and network security objectives of confidentiality, availability, and integrity but rather something that adds value to an operation. The operational commander as the key decision maker, will therefore have a broader set of tools thus enabling him to more effectively demand answers and take decisions on key questions such as “what is or could be the cyber defense contribution to mission success?”; “how could operations in the other domains support cyber defense objectives” and conversely “how could cyber defense support my course of action in other domains?” This decision is thus about behavioral change for example, getting operational planners to accept that any operation will occur in a contested and potentially degraded cyberspace environment. This is a more accurate reflection of how cyber threats have the potential to affect operations and missions.

Aside from these important considerations, the recognition of cyberspace as a domain of operations imposes further requirements such as the need to drive and sustain coherence in all contributing lines of capability development. These include for example doctrine, organization, training, capability development, and interoperability. To accomplish this, NATO’s strategic commands are working on an ambitious and complex three-year road map involving 10 distinct lines of effort.

What’s Next?

Looking ahead to the next NATO Summit in 2018, it is clear that NATO’s approach to cyber defense will continue to integrate into NATO’s broader goals of securing Euro-Atlantic stability and prosperity through its core tasks of collective defense, crisis management, and cooperative security. Furthermore, progress on implementing the Cyber Defence Pledge will be again reviewed in the summer of 2018, taking into account the results of the first year of progress.

For NATO, the implementation of cyberspace as a domain of operations will continue as the military begins to bring to reality some of the aspects around organization, doctrine, and capability development to allow the Alliance to be as effective in cyberspace as in air, on land, and at sea.

NATO will also further deepen its engagement with partners: from the United Nations and European Union to some 40 partner nations. Interaction with industry and academia will continue, especially as technological innovation such as artificial intelligence means that cyber defense will require far more innovative approaches to stay one step ahead of the adversary. Ultimately, the international community stands to benefit from a norms-based, predictable, and secure global cyberspace and the work of the Alliance, now and in the future, are all aimed at achieving this goal.

[5] “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” US Department of Justice, 19 May 2014, https://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor

[6] “Background to ‘Assessing Russian Activities and Intentions in Recent US Elections’: The Analytic Process and Cyber Incident Attribution,” US Director of National Intelligence, 6 January 2017 https://www.dni.gov/files/documents/ICA_2017_01.pdf

http://www.bbc.com/news/uk-37721147; David E. Sanger, “U.S. Cyberattacks Target ISIS in a New Line of Combat,” New York Times, 24 April 2016, https://www.nytimes.com/2016/04/25/us/politics/us-directs-cyberweapons-at-isis-for-first-time.html

[13] “Tallin Manual 2.0 on the International Law Applicable to Cyber Operations to Be Launched,” CCDCOE, 2 February 2017, https://ccdcoe.org/tallinn-manual-20-international-law-applicable-cyber-operations-be-launched.html

[17] I.e. France, the Netherlands, the United Kingdom, and the United States.

[18] For a differing view, see Martin C. Libicki, “Cyberspace is not a Warfighting Domain,” Journal of Law and Policy for the Information Society, Vol. 8, No. 2 (2002), pp. 325-340, https://www.rand.org/pubs/external_publications/EP51077.html

CONTRIBUTOR

Neil Robinson

Neil Robinson is a Policy Officer for Cyber Defense in the Emerging Security Challenges Division at NATO Headquarters. The views expressed in this article are the authors own and does not necessarily represent the official position or policy of member governments, or of NATO.

We are proud to present our readers with this special issue of TPQ, published in collaboration with Atlantic Council IN TURKEY, which revolves around energy dynamics in Turkey and its neighborhood, in the context of a shifting geopolitical landscape. This issue’s authors evaluate key trends and drivers that are shaping the regional energy landscape—from the Caspian to the...